general/occlum
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
4966e473a2
occlum/docs/readthedocs/docs/source/occlum_configuration.md
Qi Zheng 4966e473a2 [readthedocs] Init readthedocs for Occlum
2023-07-12 13:50:31 +08:00

7.0 KiB
Raw Blame History

Occlum Configuration

Occlum can be configured easily via a configuration file named Occlum.yaml, which is generated by the occlum init command in the Occlum instance directory. The user can modify Occlum.yaml to configure Occlum. The template of Occlum.yaml is shown below.

# All the settings below can only take effect after `occlum build`.
resource_limits:
  # The number of OS threads created for this instance.
  num_of_cpus: 128
  # The stack size of LibOS kernel.
  kernel_space_stack_size: 16MB
  # The heap size of LibOS kernel.
  # With EDMM support, choose "init" size based on the expected initialization time. And increase the "max" field if memory insufficiency occurs.
  # Without EDMM support, increase the "init" field if memory insufficiency occurs. And the "max" field is ignored.
  kernel_space_heap_size:
    # Reserved and committed during the initialization stage. The more, the longer it takes to initialize.
    init: 32MB
    # Only committed when necessary. Only valid with EDMM support.
    max:  512MB
  # The total size of enclave memory available to the user applications running in LibOS.
  # With EDMM support, choose "init" size based on the expected initialization time. And increase the "max" field if memory insufficiency occurs.
  # Without EDMM support, increase the "init" field if memory insufficiency occurs. And the "max" field is ignored.
  user_space_size:
    # Reserved and committed during the initialization stage. The more, the longer it takes to initialize.
    init: 256MB
    # Only committed when necessary. Only valid with EDMM support.
    max:  64GB
process:
  # Default stack size for each process. If not sure, don't modify it.
  default_stack_size: 4MB
  # Default heap size for each process. If not sure, don't modify it.
  default_heap_size: 32MB

# Entry points
# Specify all valid absolute <path> in `occlum run <path> <args>`.
# This prevents outside attackers from executing arbitrary commands inside an
# Occlum-powered enclave.
entry_points:
  - /bin

# Environment variables
#
# This gives a list of environment variables for the "root" process started
# by `occlum run` or `occlum exec` command.
env:
  # The default env vars given to each "root" LibOS process. As these env vars
  # are specified in this config file, they are considered trusted.
  default:
    - OCCLUM=yes
  # The untrusted env vars that are captured by Occlum from the host environment
  # and passed to the "root" LibOS processes. These untrusted env vars can
  # override the trusted, default envs specified above.
  # For example, `OCCLUM=no occlum run xxx` can pass the env OCCLUM=no to the process
  # running in LibOS with below settings.
  #     env:
  #       default:
  #         - OCCLUM=yes
  #       untrusted:
  #         - OCCLUM
  untrusted:
    - EXAMPLE

# Enclave metadata
# If not sure, just keep them no change
metadata:
  # Enclave signature structure's ISVPRODID field
  product_id: 0
  # Enclave signature structure's ISVSVN field
  version_number: 0
  # Whether the enclave is debuggable through special SGX instructions.
  # If set to false, no log could be output.
  # For production enclave, it is IMPORTANT to set this value to false.
  debuggable: true
  # SGX Key Separation and Sharing feature support.
  # Please always keep it as true.
  enable_kss: true
  # Enclave signature structure's ISVEXTPRODID field.
  # It is separated as two 16 bytes strings.
  ext_prod_id:
    high: '0x0'
    low: '0x0'
  # Whether to turn on PKU feature in Occlum
  # Occlum uses PKU for isolation between LibOS and userspace program,
  # It is useful for developers to detect potential bugs.
  #
  # "pkru" = 0: PKU feature must be disabled
  # "pkru" = 1: PKU feature must be enabled
  # "pkru" = 2: PKU feature is enabled if the platform supports it
  pkru: 0

# Mount points and their file systems
mount:
  # RootFS mount point and file systems.
  # Generally, just don't change it.
  - target: /
    type: unionfs
    options:
      layers:
        # The read-only layer which is generated in `occlum build`
        - target: /
          type: sefs
          source: ./build/mount/__ROOT
          options:
            MAC: ''
        # The read-write layer whose content is produced when running the LibOS
        - target: /
          type: sefs
          source: ./run/mount/__ROOT
          # options:
          # The SEFS just uses MRSIGNER to drived key by default, so the data can
          # be shared between same enclave signer on the same machine.
          # If you want more secure scheme, you can set the autokey_policy field
          # to 1 to enforcing the key is derived by MRSIGNER|MRENCLAVE|ISVFAMILYID.
          # So the data can only be accessed by the enclave itself.
          #  autokey_policy: 1
  #
  # HostFS mount
  # It provides a channel to exchange files between Host FS and LibOS FS.
  # Just note, with this mount, the files written to the target in the LibOS
  # is recognizable to users in the Host thus may introduce security issue.
  #
  # For example, below section mount the occlum_instance directory in the Host FS
  # to the path /host in the LibOS FS.
  # It is disabled in default. Uncomment it if you are very sure about it.
  # - target: /host
  #   type: hostfs
  #   source: .
  #
  # Async FS mount
  # - target: /sfs
  #   type: async_sfs
  #   source: ./run/async_sfs_image
  #   options:
  #     total_size: 4GB

# Untrusted Unix domain socket
# Besides the common Unix domain socket support that both ends are created in the same
# Occlum instance, the Untrusted Unix domain socket can support cross-world connection by
# mapping a libos socket address with the host socket address. In this way, a Unix domain
# socket created in Occlum can communicate with a Unix domain socket in the host OS or in
# another Occlum instance.
# Uncomment and customize below if you are very sure about it.
#
# untrusted_unix_socks:
# The libos path and the host path correspond to the same host sock file.
# The host side should use the host path and libos side should use the libos path.
#
# Specify socket file in absolute path
  # - host: /tmp/occlum/test.sock
  #   libos: /root/test.sock
# Or any files in the path
  # - host: /tmp/root/
  #   libos: /root/
# Or the host path can be a relative path and is relative to the current Occlum instance dir.
  # - host: ../test.sock
  #   libos: /tmp/test.sock

Runtime Resource Configuration for Occlum process

Occlum has enabled per process resource configuration via prlimit syscall and shell built-in command ulimit.

#! /usr/bin/bash
ulimit -a

# ulimit defined below will override configuration in Occlum.yaml
ulimit -Ss 10240 # stack size 10M
ulimit -Sd 40960 # heap size 40M
ulimit -Sv 102400 # virtual memory size 100M (including heap, stack, mmap size)

echo "ulimit result:"
ulimit -a

# Run applications with the new resource limits
...

For more info, please check demos/fish.